Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 07:39
Static task
static1
Behavioral task
behavioral1
Sample
c286b15469dc04439c9b47a391f6a17454ec0847f05be01fc37c7207dfda97e1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c286b15469dc04439c9b47a391f6a17454ec0847f05be01fc37c7207dfda97e1.exe
Resource
win10v2004-20241007-en
General
-
Target
c286b15469dc04439c9b47a391f6a17454ec0847f05be01fc37c7207dfda97e1.exe
-
Size
56KB
-
MD5
39ff66d5fa290e82b58b71ca74860281
-
SHA1
fbd5718d59efc4b671c9de27acefbcf896b5bf57
-
SHA256
c286b15469dc04439c9b47a391f6a17454ec0847f05be01fc37c7207dfda97e1
-
SHA512
2187c82681e70dc6bd999a228124a1ac03af34cc4374a64721db295895860931add7a5108cfca06ce2de4b9a1f36087352c89917fe320ffe76b5814a33332b9d
-
SSDEEP
1536:DqMA6C1VqaqhtgVRNToV7TtRu8rM0wYVFl2g5u58dO0xXHQEyYfdhNhFO5h3xhIj:+MA6C1VqaqhtgVRNToV7TtRu8rM0wYVF
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
microsofthelp.exepid process 2664 microsofthelp.exe -
Executes dropped EXE 1 IoCs
Processes:
microsofthelp.exepid process 2664 microsofthelp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c286b15469dc04439c9b47a391f6a17454ec0847f05be01fc37c7207dfda97e1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" c286b15469dc04439c9b47a391f6a17454ec0847f05be01fc37c7207dfda97e1.exe -
Drops file in Windows directory 1 IoCs
Processes:
c286b15469dc04439c9b47a391f6a17454ec0847f05be01fc37c7207dfda97e1.exedescription ioc process File created C:\Windows\microsofthelp.exe c286b15469dc04439c9b47a391f6a17454ec0847f05be01fc37c7207dfda97e1.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c286b15469dc04439c9b47a391f6a17454ec0847f05be01fc37c7207dfda97e1.exemicrosofthelp.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c286b15469dc04439c9b47a391f6a17454ec0847f05be01fc37c7207dfda97e1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language microsofthelp.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
c286b15469dc04439c9b47a391f6a17454ec0847f05be01fc37c7207dfda97e1.exedescription pid process target process PID 2244 wrote to memory of 2664 2244 c286b15469dc04439c9b47a391f6a17454ec0847f05be01fc37c7207dfda97e1.exe microsofthelp.exe PID 2244 wrote to memory of 2664 2244 c286b15469dc04439c9b47a391f6a17454ec0847f05be01fc37c7207dfda97e1.exe microsofthelp.exe PID 2244 wrote to memory of 2664 2244 c286b15469dc04439c9b47a391f6a17454ec0847f05be01fc37c7207dfda97e1.exe microsofthelp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c286b15469dc04439c9b47a391f6a17454ec0847f05be01fc37c7207dfda97e1.exe"C:\Users\Admin\AppData\Local\Temp\c286b15469dc04439c9b47a391f6a17454ec0847f05be01fc37c7207dfda97e1.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\microsofthelp.exe"C:\Windows\microsofthelp.exe"2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2664
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD53ffd63d5f2be0a4fbd05675cc2e8f18b
SHA103d59d2aaa63368c28166f587781427f97e7b2c7
SHA256dffd8f851417e9568dd4c0301d7ec7e6b1f4fbdc63fff4c890b925e73074ea13
SHA512c20b8ccc327b96009456434b89b2dc19af114b2f45a45b076fe8debf58bc0009e0074bb57d2dc726d47d326e2af235e06a3a55749827e7f6981ca472c9d451d2